jwt_sessions 3.0.1 → 3.1.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +12 -0
- data/README.md +11 -11
- data/lib/jwt_sessions/store_adapters/redis_store_adapter.rb +2 -1
- data/lib/jwt_sessions/version.rb +1 -1
- data/lib/jwt_sessions.rb +3 -1
- data/test/units/jwt_sessions/test_access_token.rb +1 -1
- data/test/units/jwt_sessions/test_refresh_token.rb +1 -1
- data/test/units/jwt_sessions/test_session.rb +11 -1
- data/test/units/jwt_sessions/test_token.rb +6 -6
- data/test/units/test_jwt_sessions.rb +1 -1
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e1264eae87a9f5dc03028ee842e83da499f4d9d3f819d10b676f1bcde974cc2a
|
|
4
|
+
data.tar.gz: a29d5d6d8a07d24f275072536c7cd912e041aeec6d4c9392eeebf30b9c6337a1
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4abc1c449bd2692b00797c42c235d52dd4f67e30176e77d04da79a29fd5828ee73696908745ce8432af2cc8514523b24d4128158822ce412f2e9d6092550ad91
|
|
7
|
+
data.tar.gz: 6b7006560ab05859b51c9add771f029b68c0f09a391fe576c47b6e97ba72b1bdbabb8c787262a07553962e24bdccb2148c2bf960f614af56e497f8c18e9a4c7a
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,15 @@
|
|
|
1
|
+
## 3.1.1 (May 6, 2023)
|
|
2
|
+
|
|
3
|
+
Bugfixes:
|
|
4
|
+
|
|
5
|
+
- fix bug with flushing empty refresh tokens (Unsupported command argument type: NilClass (TypeError))
|
|
6
|
+
|
|
7
|
+
## 3.1.0 (February 18, 2023)
|
|
8
|
+
|
|
9
|
+
Features:
|
|
10
|
+
|
|
11
|
+
- rename `encryption_key=` to `signing_key=` (keep the alias for backward compatibility)
|
|
12
|
+
|
|
1
13
|
## 3.0.1 (December 28, 2022)
|
|
2
14
|
|
|
3
15
|
Support:
|
data/README.md
CHANGED
|
@@ -60,10 +60,10 @@ bundle install
|
|
|
60
60
|
|
|
61
61
|
## Getting Started
|
|
62
62
|
|
|
63
|
-
You should configure an
|
|
63
|
+
You should configure an algorithm and specify the signing key. By default the gem uses the `HS256` signing algorithm.
|
|
64
64
|
|
|
65
65
|
```ruby
|
|
66
|
-
JWTSessions.
|
|
66
|
+
JWTSessions.signing_key = "secret"
|
|
67
67
|
```
|
|
68
68
|
|
|
69
69
|
`Authorization` mixin provides helper methods which are used to retrieve the access and refresh tokens from incoming requests and verify the CSRF token if needed. It assumes that a token can be found either in a cookie or in a header (cookie and header names are configurable). It tries to retrieve the token from headers first and then from cookies (CSRF check included) if the header check fails.
|
|
@@ -119,7 +119,7 @@ Available `JWTSessions::Session.new` options:
|
|
|
119
119
|
|
|
120
120
|
- **payload**: a hash object with session data which will be included into an access token payload. Default is an empty hash.
|
|
121
121
|
- **refresh_payload**: a hash object with session data which will be included into a refresh token payload. Default is the value of the access payload.
|
|
122
|
-
- **access_claims**: a hash object with [JWT claims](https://github.com/jwt/ruby-jwt#support-for-reserved-claim-names) which will be validated within the access token payload. For example, `{ aud
|
|
122
|
+
- **access_claims**: a hash object with [JWT claims](https://github.com/jwt/ruby-jwt#support-for-reserved-claim-names) which will be validated within the access token payload. For example, `{ "aud" => ["admin"], "verify_aud" => true }` means that the token can be used only by "admin" audience. Also, the endpoint can automatically validate claims instead. See `token_claims` method.
|
|
123
123
|
- **refresh_claims**: a hash object with [JWT claims](https://github.com/jwt/ruby-jwt#support-for-reserved-claim-names) which will be validated within the refresh token payload.
|
|
124
124
|
- **namespace**: a string object which helps to group sessions by a custom criteria. For example, sessions can be grouped by user ID, making it possible to logout the user from all devices. More info [Sessions Namespace](#sessions-namespace).
|
|
125
125
|
- **refresh_by_access_allowed**: a boolean value. Default is false. It links access and refresh tokens (adds refresh token ID to access payload), making it possible to perform a session refresh by the last expired access token. See [Refresh with access token](#refresh-with-access-token).
|
|
@@ -152,15 +152,15 @@ class ApplicationController < ActionController::API
|
|
|
152
152
|
end
|
|
153
153
|
```
|
|
154
154
|
|
|
155
|
-
Specify
|
|
155
|
+
Specify a signing key for JSON Web Tokens in `config/initializers/jwt_session.rb` \
|
|
156
156
|
It is advisable to store the key itself in a secure way, f.e. within app credentials.
|
|
157
157
|
|
|
158
158
|
```ruby
|
|
159
159
|
JWTSessions.algorithm = "HS256"
|
|
160
|
-
JWTSessions.
|
|
160
|
+
JWTSessions.signing_key = Rails.application.credentials.secret_jwt_signing_key
|
|
161
161
|
```
|
|
162
162
|
|
|
163
|
-
Most of the
|
|
163
|
+
Most of the algorithms require private and public keys to sign a token. However, HMAC requires only a single key and you can use the `signing_key` shortcut to sign the token. For other algorithms you must specify private and public keys separately.
|
|
164
164
|
|
|
165
165
|
```ruby
|
|
166
166
|
JWTSessions.algorithm = "RS256"
|
|
@@ -294,7 +294,7 @@ require "sinatra/base"
|
|
|
294
294
|
JWTSessions.access_header = "authorization"
|
|
295
295
|
JWTSessions.refresh_header = "x_refresh_token"
|
|
296
296
|
JWTSessions.csrf_header = "x_csrf_token"
|
|
297
|
-
JWTSessions.
|
|
297
|
+
JWTSessions.signing_key = "secret key"
|
|
298
298
|
|
|
299
299
|
class SimpleApp < Sinatra::Base
|
|
300
300
|
include JWTSessions::Authorization
|
|
@@ -395,7 +395,7 @@ JWTSessions.algorithm = "HS256"
|
|
|
395
395
|
You need to specify a secret to use for HMAC as this setting does not have a default value.
|
|
396
396
|
|
|
397
397
|
```ruby
|
|
398
|
-
JWTSessions.
|
|
398
|
+
JWTSessions.signing_key = "secret"
|
|
399
399
|
```
|
|
400
400
|
|
|
401
401
|
If you are using another algorithm like RSA/ECDSA/EDDSA you should specify private and public keys.
|
|
@@ -426,9 +426,9 @@ class UsersController < ApplicationController
|
|
|
426
426
|
|
|
427
427
|
def token_claims
|
|
428
428
|
{
|
|
429
|
-
aud
|
|
430
|
-
verify_aud
|
|
431
|
-
exp_leeway
|
|
429
|
+
"aud" => ["admin", "staff"],
|
|
430
|
+
"verify_aud" => true, # can be used locally instead of a global setting
|
|
431
|
+
"exp_leeway" => 15 # will be used instead of default leeway only for exp claim
|
|
432
432
|
}
|
|
433
433
|
end
|
|
434
434
|
end
|
|
@@ -78,7 +78,8 @@ module JWTSessions
|
|
|
78
78
|
# to be able to properly initialize namespaced tokens extract their namespaces
|
|
79
79
|
# and pass down to fetch_refresh
|
|
80
80
|
token_namespace = namespace.to_s.empty? ? namespace_from_key(key) : namespace
|
|
81
|
-
|
|
81
|
+
token_attrs = fetch_refresh(uid, token_namespace)
|
|
82
|
+
acc[uid] = token_attrs unless token_attrs.empty?
|
|
82
83
|
end
|
|
83
84
|
end
|
|
84
85
|
|
data/lib/jwt_sessions/version.rb
CHANGED
data/lib/jwt_sessions.rb
CHANGED
|
@@ -121,10 +121,12 @@ module JWTSessions
|
|
|
121
121
|
end
|
|
122
122
|
|
|
123
123
|
# should be used for hmac only
|
|
124
|
-
def
|
|
124
|
+
def signing_key=(key)
|
|
125
125
|
@public_key = key
|
|
126
126
|
@private_key = key
|
|
127
127
|
end
|
|
128
|
+
# alias for backward compatibility
|
|
129
|
+
alias encryption_key= signing_key=
|
|
128
130
|
|
|
129
131
|
def access_expiration
|
|
130
132
|
Time.now.to_i + access_exp_time.to_i
|
|
@@ -7,7 +7,7 @@ class TestAccessToken < Minitest::Test
|
|
|
7
7
|
attr_reader :access_token, :uid
|
|
8
8
|
|
|
9
9
|
def setup
|
|
10
|
-
JWTSessions.
|
|
10
|
+
JWTSessions.signing_key = "secret key"
|
|
11
11
|
@payload = { user_id: 1 }
|
|
12
12
|
@csrf = JWTSessions::CSRFToken.new
|
|
13
13
|
@uid = SecureRandom.uuid
|
|
@@ -9,7 +9,7 @@ class TestRefreshToken < Minitest::Test
|
|
|
9
9
|
def setup
|
|
10
10
|
JWTSessions::Session.flush_all
|
|
11
11
|
|
|
12
|
-
JWTSessions.
|
|
12
|
+
JWTSessions.signing_key = "secure key"
|
|
13
13
|
@access_uid = SecureRandom.uuid
|
|
14
14
|
@csrf = JWTSessions::CSRFToken.new
|
|
15
15
|
@token = JWTSessions::RefreshToken.create(@csrf.encoded,
|
|
@@ -9,7 +9,7 @@ class TestSession < Minitest::Test
|
|
|
9
9
|
REFRESH_KEYS = %i[access access_expires_at csrf].freeze
|
|
10
10
|
|
|
11
11
|
def setup
|
|
12
|
-
JWTSessions.
|
|
12
|
+
JWTSessions.signing_key = "security"
|
|
13
13
|
@payload = { test: "secret" }
|
|
14
14
|
@session = JWTSessions::Session.new(payload: payload)
|
|
15
15
|
@tokens = session.login
|
|
@@ -326,6 +326,16 @@ class TestSession < Minitest::Test
|
|
|
326
326
|
assert_equal access_token.expiration.to_s, refresh_token.access_expiration
|
|
327
327
|
end
|
|
328
328
|
|
|
329
|
+
def test_flush_namespaced_access_tokens_after_flush_namespaced
|
|
330
|
+
namespace = "test_namespace"
|
|
331
|
+
session = JWTSessions::Session.new(payload: payload, namespace: namespace)
|
|
332
|
+
session.login
|
|
333
|
+
|
|
334
|
+
assert_equal 1, session.flush_namespaced
|
|
335
|
+
# it should not throw an error
|
|
336
|
+
assert_equal 0, session.flush_namespaced_access_tokens
|
|
337
|
+
end
|
|
338
|
+
|
|
329
339
|
def test_flush_all
|
|
330
340
|
refresh_token = @session.instance_variable_get(:"@_refresh")
|
|
331
341
|
flushed_count = JWTSessions::Session.flush_all
|
|
@@ -19,7 +19,7 @@ class TestToken < Minitest::Test
|
|
|
19
19
|
|
|
20
20
|
def setup
|
|
21
21
|
@payload = { "user_id" => 1, "secret" => "mystery" }
|
|
22
|
-
JWTSessions.
|
|
22
|
+
JWTSessions.signing_key = "abcdefghijklmnopqrstuvwxyzABCDEF"
|
|
23
23
|
end
|
|
24
24
|
|
|
25
25
|
def teardown
|
|
@@ -70,7 +70,7 @@ class TestToken < Minitest::Test
|
|
|
70
70
|
end
|
|
71
71
|
|
|
72
72
|
def test_hmac_token_decode
|
|
73
|
-
JWTSessions.
|
|
73
|
+
JWTSessions.signing_key = "abcdefghijklmnopqrstuvwxyzABCDEF"
|
|
74
74
|
token = JWTSessions::Token.encode(payload)
|
|
75
75
|
decoded = JWTSessions::Token.decode(token).first
|
|
76
76
|
assert_equal payload["user_id"], decoded["user_id"]
|
|
@@ -78,7 +78,7 @@ class TestToken < Minitest::Test
|
|
|
78
78
|
end
|
|
79
79
|
|
|
80
80
|
def test_token_sub_claim
|
|
81
|
-
JWTSessions.
|
|
81
|
+
JWTSessions.signing_key = "abcdefghijklmnopqrstuvwxyzABCDEF"
|
|
82
82
|
JWTSessions.jwt_options[:verify_sub] = true
|
|
83
83
|
token = JWTSessions::Token.encode(payload.merge(sub: "subject"))
|
|
84
84
|
decoded = JWTSessions::Token.decode(token, { sub: "subject" }).first
|
|
@@ -90,7 +90,7 @@ class TestToken < Minitest::Test
|
|
|
90
90
|
end
|
|
91
91
|
|
|
92
92
|
def test_token_iss_claim
|
|
93
|
-
JWTSessions.
|
|
93
|
+
JWTSessions.signing_key = "abcdefghijklmnopqrstuvwxyzABCDEF"
|
|
94
94
|
JWTSessions.jwt_options[:verify_iss] = true
|
|
95
95
|
token = JWTSessions::Token.encode(payload.merge(iss: "Me"))
|
|
96
96
|
decoded = JWTSessions::Token.decode(token, { iss: "Me" }).first
|
|
@@ -102,7 +102,7 @@ class TestToken < Minitest::Test
|
|
|
102
102
|
end
|
|
103
103
|
|
|
104
104
|
def test_token_aud_claim
|
|
105
|
-
JWTSessions.
|
|
105
|
+
JWTSessions.signing_key = "abcdefghijklmnopqrstuvwxyzABCDEF"
|
|
106
106
|
JWTSessions.jwt_options[:verify_aud] = true
|
|
107
107
|
token = JWTSessions::Token.encode(payload.merge(aud: ["young", "old"]))
|
|
108
108
|
decoded = JWTSessions::Token.decode(token, { aud: ["young"] }).first
|
|
@@ -114,7 +114,7 @@ class TestToken < Minitest::Test
|
|
|
114
114
|
end
|
|
115
115
|
|
|
116
116
|
def test_token_leeway_decode
|
|
117
|
-
JWTSessions.
|
|
117
|
+
JWTSessions.signing_key = "abcdefghijklmnopqrstuvwxyzABCDEF"
|
|
118
118
|
JWTSessions.jwt_options[:leeway] = 50
|
|
119
119
|
token = JWTSessions::Token.encode(payload.merge("exp" => Time.now.to_i - 20))
|
|
120
120
|
decoded = JWTSessions::Token.decode(token).first
|
|
@@ -18,7 +18,7 @@ class TestJWTSessions < Minitest::Test
|
|
|
18
18
|
assert_equal JWTSessions::DEFAULT_CSRF_HEADER, JWTSessions.csrf_header
|
|
19
19
|
end
|
|
20
20
|
|
|
21
|
-
def
|
|
21
|
+
def test_signing_key
|
|
22
22
|
JWTSessions.encryption_key = nil
|
|
23
23
|
assert_raises JWTSessions::Errors::Malconfigured do
|
|
24
24
|
JWTSessions.private_key
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: jwt_sessions
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.
|
|
4
|
+
version: 3.1.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
|
-
-
|
|
7
|
+
- Julija Alieckaja
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2023-05-06 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: jwt
|
|
@@ -127,7 +127,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
127
127
|
- !ruby/object:Gem::Version
|
|
128
128
|
version: '0'
|
|
129
129
|
requirements: []
|
|
130
|
-
rubygems_version: 3.
|
|
130
|
+
rubygems_version: 3.4.12
|
|
131
131
|
signing_key:
|
|
132
132
|
specification_version: 4
|
|
133
133
|
summary: JWT Sessions
|